Cry36 Ransomware

Existing ransomware threats are now being developed to affect bigger numbers of computers. The Cry36 ransomware is one of the variants associated with Cry9, Cry128, Dharma, and CryptON, the latter of which is sometimes referred to as Nemesis. The Cry36 ransomware is not just a new launch with a unique name. It has been found that the files affected by this threat differ from their original copies in 36 bytes. This only shows that cyber criminals work on their projects, and computer users should always be aware of new attacks

All these ransomware infections have been aimed at locking users out of their systems and holding the data for ransom. The Cry36 ransomware is a dangerous threat that encrypts files and blocks certain security programs so that its malicious processes are not terminated. Once ransomware is spotted on the computer, you should act immediately to remove it from the computer and shield the system against many other potential threats.

The Cry36 ransomware, as well as its counterparts, is capable of encrypting different types of files, including the most popular one such as .doc, .zip, and .png. The infection scans the system for certain file extensions and adds its five character extension to the encrypted data filename. The appended extensions vary; they may contain different digits and letters. Additionally, the extension created by the Cry36 ransomware contains the ID of a victimized computer and an email address, which is likely to be an email of an attacker. It has been found that there are several different email addresses used by the criminals, as exemplified below:

.2271021857_[mk.rain@aol.com].be87r

id-2559797930_[mk.smoke@aol.com].a97rq

id-1163283255_[liukang@mortalkombat.su].aj29p

The email addresses may vary too, and this is not surprising keeping in mind that the Wallet ransomware infection is known to have over 100 email addresses. Nevertheless, the attackers behind the Cry36 Trojan do not seem to be willing to communicate with their victims via email, as some prior ransomware attacks suggest. Instead, they offer an alternative communication method which has been forgotten for a while.

Once the encryption process is completed, the Cry36 ransomware creates a .txt file containing the schemers’’ message to the victim. The file is named ### DECRYPT MY FILES ###.txt, and it contains instructions how to contact the attackers for more information. According to the ransom message, a victim has to download the Tor-browser and then copy and paste a link given to the browser address box so that a chat box is opened. More specifically, the attackers provide a link to the .onion website. This tactic slightly differs from the ones used by the Dharma and CryON ransomware, but all these these threats are malicious, and they should be removed from every affected computer.

Usually ransomware developers demand for Bitcoin, a cryptocurrency that is not owned or managed by anybody, meaning that Bitcoin transactions cannot be tracked back. Moreover, money transactions are made anonymously, hence such popularity and huge profits since the rise of ransomware in 2015. However, the present case with Cry36 is just one example among hundreds of other ransomware threats gaining money in the form of bitcoins. The tendency to demand bitcoins may change any time, but for now some preventative measures should be taken.

When it comes to cyber security, making copies of your valuable files is crucial. Very often attackers promise to send a decryption tool or decryption key in return to the ransom payment, but nobody can guarantee that. In order to prevent long-lasting consequences, you should back up your files as often as you can so that no havoc is caused when you get faced with ransomware.

Before restoring your corrupted data from a storage device or some other source, it is essential to remove the Cry36 ransomware for good. To do so, you should use a reputable malware removal tool, which will scan the operating system for you and will detect other security-related issues if any are present. Ransomware, as well as many other threats, spreads via spam and phishing emails, software distribution websites, and other online channels. Your unprotected system needs professional protection against multiple threats, and our team recommends using a tool that can prevent further damage.

In case you are eager to try removing the Cry36 ransomware manually, use our removal guidelines, but you should note that you remove the infection at your own risk.

How to remove Cry36 ransomware

1. Remove the file launching the infection. Check the Download and Temp folder for this malware.

2. Access the %APPDATA% directory and remove all questionable files.

3. Open Registry Editor and go to HKCU\Software\. Find the folder associated with Cry36.

4. Follow the path HKCU\Software\Microsoft\Windows\CurrentVersion\Run and delete values associated with the Cry36 ransomware.